If you get an unexpected call from Apple Support, you’re being hacked

Have you ever had an unexpected direct phone call from Apple support? I have not, and if you do ever receive one, you probably aren’t talking to Apple. The company says you should immediately hang up.

“If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up,” the company support website states.

Don’t fall for it

Other things it warns against are suspicious calendar invitations in Mail or Calendar, annoying pop-ups in the browser, unexpected software download prompts, and fraudulent emails.[ How to choose the right UEM platform ]

The company offers up reporting tools you can use to tell Apple if you experience any of these, and if you have had such experiences, you should report them.

What makes this advice relevant right now is a new phishing scam in operation in which people are receiving convincing looking Apple ID password reset warnings, sometimes followed by unsolicited calls claiming to be from Apple.

It’s an attempt to abuse the Multi Factor Authentication (MFA) system Apple’s devices are protected by.

What happens during an attack

• What happens is that target devices are forced to show dozens of system level prompts (basically MFA warnings sent by Apple’s Forgot Password feature) that stop the target device from working until a user chooses Allow or Don’t Allow on those prompts.
• Once the target disallows all those requests, they will receive a phone call from a number that looks like Apple Support and will be warned the user is under attack and must verify a one-time code.
• The aim of the attack is to trigger an Apple ID reset code to be sent to the target device, and to then get the user to share that code over the phone.
• If you ever receive such a code, you’ll see that alongside it you will be sent a warning not to share that code with anyone else.
• But this is why attackers work so hard to seem convincing, because if a target hands the code over, the attacker will immediately take over the user’s Apple ID and lock the user out.
• They then gain access to all your Apple ID protected data and services and can remotely wipe all your Apple devices.

These are sophisticated attacks

Critical to understanding the nature of this attack is knowing that if you are targeted by it, you have probably already been selected as an attack target. These are relatively organized attempts, and whoever is behind an attack will already have researched for some details about the victim.

That’s because they need to have the email address and phone number associated with your Apple ID. Those details may come from data brokers and people search websites, such as PeopleDataLabs, KrebsOnSecurity suggested earlier this week.

The attackers need to have sourced information about the target to come across as genuine in the all-important phone call during which they con the target into sharing the reset code. In other words, these are highly tactical, planned attacks in which hackers have assembled large quantities of personal data.

Michael Covington, VP of Portfolio Strategy at Jamf puts it this way: “MFA bombing presents a challenge to any targeted user, as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made.

“What they don’t realize, however, is that this attack is typically preceded by a successful compromise of the user’s credentials, thus allowing a hacker to initiate the sign-in process.”

Jamf recently warned that many Apple-using businesses are still soft targets for such attemps.

How to protect yourself

There are some simple ways to protect yourself against these kinds of social-engineering enhanced attacks:

• Accept that if you get an unsolicited call from Apple Support, the call is almost certainly a hoax.
• Even if you have actually requested a call, you should still ask verification questions to help confirm the call is genuine.
• If you’ve not requested a call or the verification fails, then you should just put your phone down.
• Never, ever share the reset code for your Apple ID with anybody. No reputable company will ever ask for such disclosure.
• Use strong and unique passcodes to protect your Apple ID.
• Never share this kind of information on the phone.

If you experience an attack like this, you should report them using details provided by Apple support. Reporting is a vital protection against attacks like these. If everyone does report them, Apple’s systems can more swiftly be tweaked to intercept such attacks.

Expect a security update

The second thing every Apple user should do is keep all their devices updated. Devices running older operating systems frequently carry unpatched vulnerabilities that attackers may exploit.

It’s plausible to think Apple’s security teams will react to attacks such as this one with changes in the OS to protect against the attack method. That’s almost certainly the case this time, as this attack exploits a bug that lets attackers bypass the number of Forgot Password requests allowed by Apple. I’m certain Apple’s teams are already working on securing that, unless they have already.

Finally, trust your instincts. Don’t click on links from people you don’t know, and don’t take phone calls from dodgy support entities you haven’t requested.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.